From nobody@FreeBSD.org  Wed Apr 21 05:22:12 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 27984106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 21 Apr 2010 05:22:12 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 171808FC37
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 21 Apr 2010 05:22:12 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o3L5MBvA056643
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 21 Apr 2010 05:22:11 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o3L5MBFP056642;
	Wed, 21 Apr 2010 05:22:11 GMT
	(envelope-from nobody)
Message-Id: <201004210522.o3L5MBFP056642@www.freebsd.org>
Date: Wed, 21 Apr 2010 05:22:11 GMT
From: J R Matthews <jrm@darktide.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: /etc/rc.d/named doesnt correctly handle chrooted directories
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         145904
>Category:       conf
>Synopsis:       [rc.d] /etc/rc.d/named doesnt correctly handle chrooted directories
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    dougb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 21 05:30:01 UTC 2010
>Closed-Date:    Sat May 08 22:26:21 UTC 2010
>Last-Modified:  Sat May 08 22:26:21 UTC 2010
>Originator:     J R Matthews
>Release:        8.0-RELEASE-p2
>Organization:
>Environment:
FreeBSD abyss 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #4: Sat Mar 13 11:19:13 UTC 2010     root@titanium:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
During the 'precmd' phase of /etc/rc.d/named, the 'named-checkconf' call doesn't take into account the $named_chrootdir variable and due to that, it doesn't called named-checkconf with a chroot set. This can cause issues if you are running a chroot'd named, and your configurations will not verify without the chroot.

If this were to behave correctly, the variable $named_chrootdir should be checked to see whether it's set and 'named-checkconf' called appropriately:

Something like:

        if [ -n "$named_chrootdir" ];; then
                ${command%/named}/named-checkconf -t $named_chrootdir $named_conf || err 3 'named-checkconf for $named_conf failed'
        else
                ${command%/named}/named-checkconf $named_conf || err 3 'named-checkconf for $named_conf failed'
        fi

As my named.conf is setup in a specific way, due to these bad checks, I've had to modify my /etc/rc.d/named in the above way so that the config checks pass as they wouldn't otherwise.
>How-To-Repeat:
Set your named.conf to reference something that's absolute to the named chroot, and watch the init script fail.
>Fix:
A suggested fix is provided above, wherein the $named_chrootdir variable is checked before calling named-checkconf in an appropriate way.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Apr 21 05:56:15 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145904 
Responsible-Changed-From-To: freebsd-rc->dougb 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Wed Apr 21 16:11:36 UTC 2010 
Responsible-Changed-Why:  

My area. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145904 
State-Changed-From-To: open->analyzed 
State-Changed-By: dougb 
State-Changed-When: Mon Apr 26 21:35:41 UTC 2010 
State-Changed-Why:  

The problem is more subtle than what you described, which doesn't even happen 
if you have named_chroot_autoupdate set, which it is by default.  

In any case, I've included a patch in the audit trail, please give it a try 
and report back. 


Thanks, 

Doug 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145904 
State-Changed-From-To: analyzed->patched 
State-Changed-By: dougb 
State-Changed-When: Wed Apr 28 22:27:02 UTC 2010 
State-Changed-Why:  

I committed a fix for this in r207346. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145904 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/145904: commit references a PR
Date: Wed, 28 Apr 2010 22:29:31 +0000 (UTC)

 Author: dougb
 Date: Wed Apr 28 22:29:17 2010
 New Revision: 207346
 URL: http://svn.freebsd.org/changeset/base/207346
 
 Log:
   In the case where named_chroot_autoupdate is NOT set, but
   named_chrootdir IS set, named-checkconf fails because it
   cannot find the conf file. Fix this by making checkconf a
   variable that includes "-t $named_chrootdir" as needed.
   Notice of the bug and suggested direction for the fix from [1].
   
   Using required_files for named.conf is overkill ever since
   I added the named-checkconf call, so rather than update the
   logic to handle the case described above, remove it. This
   also handles the case where named_chroot_autoupdate IS set
   but the symlink doesn't exist yet.
   
   PR:		conf/145904
   Submitted by:	J R Matthews
 
 Modified:
   head/etc/rc.d/named
 
 Modified: head/etc/rc.d/named
 ==============================================================================
 --- head/etc/rc.d/named	Wed Apr 28 22:26:30 2010	(r207345)
 +++ head/etc/rc.d/named	Wed Apr 28 22:29:17 2010	(r207346)
 @@ -192,6 +192,13 @@ named_prestart()
  		$confgen_command
  	fi
  
 +	local checkconf
 +
 +	checkconf="${command%/named}/named-checkconf"
 +	if ! checkyesno named_chroot_autoupdate && [ -n "$named_chrootdir" ]; then
 +		checkconf="$checkconf -t $named_chrootdir"
 +	fi
 +
  	# Create a forwarder configuration based on /etc/resolv.conf
  	if checkyesno named_auto_forward; then
  		if [ ! -s /etc/resolv.conf ]; then
 @@ -201,7 +208,7 @@ named_prestart()
  			[ -s "${named_confdir}/auto_forward.conf" ] &&
  			    create_file ${named_confdir}/auto_forward.conf
  
 -			${command%/named}/named-checkconf $named_conf ||
 +			$checkconf $named_conf ||
  			    err 3 'named-checkconf for $named_conf failed'
  			return
  		fi
 @@ -263,8 +270,7 @@ named_prestart()
  		    create_file ${named_confdir}/auto_forward.conf
  	fi
  
 -	${command%/named}/named-checkconf $named_conf ||
 -	    err 3 'named-checkconf for $named_conf failed'
 +	$checkconf $named_conf || err 3 'named-checkconf for $named_conf failed'
  }
  
  load_rc_config $name
 @@ -272,7 +278,7 @@ load_rc_config $name
  # Updating the following variables requires that rc.conf be loaded first
  #
  required_dirs="$named_chrootdir"	# if it is set, it must exist
 -required_files="${named_conf:=/etc/namedb/named.conf}"
 +
  pidfile="${named_pidfile:-/var/run/named/pid}"
  named_confdir="${named_chrootdir}${named_conf%/*}"
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: dougb 
State-Changed-When: Sat May 8 22:25:47 UTC 2010 
State-Changed-Why:  

The fix has now been merged through RELENG_6. Thanks again for 
bringing this to my attention. 


Regards, 

Doug 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145904 
>Unformatted:


Index: named
===================================================================
--- named	(revision 207134)
+++ named	(working copy)
@@ -192,6 +192,13 @@
 		$confgen_command
 	fi
 
+	local checkconf
+
+	checkconf="${command%/named}/named-checkconf"
+	if ! checkyesno named_chroot_autoupdate && [ -n "$named_chrootdir" ]; then
+		checkconf="$checkconf -t $named_chrootdir"
+	fi
+
 	# Create a forwarder configuration based on /etc/resolv.conf
 	if checkyesno named_auto_forward; then
 		if [ ! -s /etc/resolv.conf ]; then
@@ -201,7 +208,7 @@
 			[ -s "${named_confdir}/auto_forward.conf" ] &&
 			    create_file ${named_confdir}/auto_forward.conf
 
-			${command%/named}/named-checkconf $named_conf ||
+			$checkconf $named_conf ||
 			    err 3 'named-checkconf for $named_conf failed'
 			return
 		fi
@@ -263,8 +270,7 @@
 		    create_file ${named_confdir}/auto_forward.conf
 	fi
 
-	${command%/named}/named-checkconf $named_conf ||
-	    err 3 'named-checkconf for $named_conf failed'
+	$checkconf $named_conf || err 3 'named-checkconf for $named_conf failed'
 }
 
 load_rc_config $name
@@ -272,7 +278,13 @@
 # Updating the following variables requires that rc.conf be loaded first
 #
 required_dirs="$named_chrootdir"	# if it is set, it must exist
-required_files="${named_conf:=/etc/namedb/named.conf}"
+
+if ! checkyesno named_chroot_autoupdate && [ -n "$named_chrootdir" ]; then
+	required_files="${named_chrootdir}${named_conf:=/etc/namedb/named.conf}"
+else
+	required_files="${named_conf:=/etc/namedb/named.conf}"
+fi
+
 pidfile="${named_pidfile:-/var/run/named/pid}"
 named_confdir="${named_chrootdir}${named_conf%/*}"
 
